Your SlideShare is downloading. ×
0
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Iss acon2010 tomhave-navetta-final
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Iss acon2010 tomhave-navetta-final

662

Published on

Tomhave and Navetta presentation at the 2010 ISSA International Conference

Tomhave and Navetta presentation at the 2010 ISSA International Conference

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
662
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Risk (reduced – least costs security controls)
    If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B < PL.
    Judge Learned Hand United States v. Carroll Towing Co. 159 F.2d 169 (2d. Cir. 1947)
    Risk-based factors in regulations
    the size, scope, complexity and type of business
    the amount of resources available to such person
    the amount of sensitive data
    nature and scope of its activities
  • Transcript

    • 1. Legally Defensible, Proactively Protected David Navetta, Esq., CIPP Benjamin Tomhave, MS, CISSP
    • 2. David Navetta, Esq., CIPP Founding Partner, InfoLawGroup LLP Co-Chair, ABA Information Security Committee Certified Information Privacy Professional (through IAAP)
    • 3. Ben Tomhave, MS, CISSP Gemini Security Solutions MS Engineering Mgmt (InfoSec Mgmt) Co-Vice Chair, ABA ISC ~15 yrs (AOL, WF, E&Y, INS/BT, ICSA Labs)
    • 4. “Just the Facts” Not if, but when Mounting legal costs Increasing regulatory burden SECURITY PROS WILL HAVE TO DEFEND THEIR DECISIONS IN A FOREIGN REALM: the legal world
    • 5. The Gap is Acute Collision of the legal and information security worlds More regulations, more lawsuits, more contract obligations Making decisions that have legal implications and interpreting legal requirements Conversation is lacking or non-existent
    • 6. Multiple Legal Regimes State, Federal, International (e.g. E.U.) Evolving & Overlapping laws, jurisdictions Regulator / private enforcement Contract law Tort law Securities law
    • 7. Legal Defensibility Viewing requirements from an external legal perspective (plaintiff, judge, jury, regulator) Security choices become legal positions Security decision-making process with legal baked in The goal is to anticipate reasonably foreseeable (legal) consequences and reduce legal risks
    • 8. Using Legal Defensibility... Key Attributes Real-World Examples Recommended Steps Action Plan
    • 9. Sidebar: LegDef Origins Survivability ★ Defensibility ★ Recoverability Resilience How to codify?
    • 10. Key Attributes Risk Management Awareness, Understanding, Translation Collaboration Documentation of... decision-making processes... key infosec decisions with potential for legal impact. Attorney-client privilege
    • 11. Real-World Examples HHS: investigations v. actions http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/historical Online banking Shames-Yeakel v. Citizens Financial Bank EMI v. Comerica Guin v. Brazos Higher Education Service Corp. Inc.
    • 12. PCI Interpretative Variances 12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following: 12.8.1 Maintain a list of service providers. 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess. 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.
    • 13. Security v. Legal Viewpoint PCI SECURITY VIEWPOINT V. LEGAL VIEWPOINT
    • 14. Key Legal Issues “Reasonable” “Appropriate” “Comprehensive” “Adequate” Risk-based factors Size, scope, type, complexity of organization Nature and scope of activities Resources of company Sensitivity of data Volume of data Third-party security assessments – matching risk tolerance
    • 15. Key Legal Issues What legal obligations? Interpretation by courts/regulators Foreseeability! Plaintiff attorney strategies Litigation strategy and procedure
    • 16. Examples of Legal Obligations Security “standards” under the law Contract obligations Service providers and outsourcing Document retention and preservation
    • 17. Indicia of Legal Compliance Risk analysis and remediation Comply with own policies Misrepresentations Specific controls Vendor management Compliance with standards
    • 18. Recommended Steps A champion arises! Find your allies Perform analysis Create your strategy Execute (w/ documentation!)
    • 19. Action Plan 1. Hold key stakeholder meeting(s) and collaboration 2. Conduct information security legal audit ★ What legal requirements apply? ★ Do current security measures address those legal requirements?
    • 20. Action Plan 3. Conduct legal defensibility analysis: ★ Develop security decision process formally incorporating legal analysis ★ Address areas of non-compliance ★ Develop legal positions on high risk legal requirements ★ Develop legal positions for “gray area” legal requirements
    • 21. Action Plan 4. Memorialize positions and proof: ★ Document indicia of legal compliance (e.g. identify standards compliant with, documentation of due diligence, etc.) ★ Document applicable legal positions under attorney- client privilege
    • 22. Q & A THANK YOU!
    • 23. Contact Information David Navetta, Esq., CIPP www.infolawgroup.com dnavetta@infolawgroup.com Benjamin Tomhave, MS, CISSP geminisecurity.com btomhave@geminisecurity.com

    ×